OCSP responder returns Response timestamp error(status expired)

book

Article ID: 168393

calendar_today

Updated On:

Products

Mobility Threat Protection ProxySG Software - SGOS

Issue/Introduction

The OCSP responder reports that the certificate is expired/invalid but you verify that the certificate is valid.
 

Cause

To confirm that this is the issue, check the PCAP.

PCAP highlighting the issue
In this instance, the nextupdate time has already passed, meaning an update was missed (for whatever reason).

Resolution

Blue Coat is unable to provide a resolution for this, as this is beyond Blue Coat's control. See below for a workaround.

Workaround

The workaround is to tell the ProxySG appliance to ignore the setting passed by the OCSP responder, and use the value set in the Device Profile instead.
In the Management Console, select Configuration > SSL > OCSP, select your profile, then click Edit. You will see the Edit OCSP responder dialog.

View of the OCSP profile Edit page on the ProxySG
Change the Response Cache TTL from Use TTL from the OCSP response (the default) to Use TTL:.
Set Use TTL:  1.

Blue Coat has been successful setting this to 1 day; you might need to extend this period slightly. 

Attachments